[squid-users] AD Ldap (automatically take the user that is logging on PC)
erdosain9
erdosain9 at gmail.com
Mon Aug 22 16:24:22 UTC 2016
Hi. Im having problems with Kerberos.
I cannot do the keytab...
kinit squid (all good)
-----------------------------------------------------------------------------------------------------
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: squid at xxxxxxx.LAN
Valid starting Expires Service principal
22/08/16 13:17:55 22/08/16 23:17:55 krbtgt/xxxxxx.LAN at xxxxx.LAN (THIS IS
NOT STRANGE???!--- I mean krbtgt/*EXAMPLE.LAN at EXAMPLE.LAN*)
renew until 23/08/16 13:17:51
-------------------------------------------------------------------------------------------------------
msktutil -c -b "CN=Computers" -s HTTP/squid.xxxxx.lan -k
/etc/squid/PROXY.keytab --computer-name SQUIDPROXY-K --upn
HTTP/squid.xxxxxx.lan --server d02.xxxxxx.lan --verbose --enctypes 28
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the
computer account
-- generate_new_password: Characters read from /dev/udandom = 84
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-cfazrB
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: SQUIDPROXY-K$
-- try_machine_keytab_princ: Trying to authenticate for SQUIDPROXY-K$ from
local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/localhost from
local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for SQUIDPROXY-K$ with
password.
-- create_default_machine_password: Default machine password for
SQUIDPROXY-K$ is squidproxy-k
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client
not found in Kerberos database)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 4
-- ldap_connect: Connecting to LDAP server: d02.xxxxxx.lan try_tls=YES
-- ldap_connect: Connecting to LDAP server: d02.xxxxxx.lan try_tls=NO
SASL/GSSAPI authentication started
SASL username: squid at xxxxxx.LAN
SASL SSF: 56
SASL data security layer installed.
-- ldap_connect: LDAP_OPT_X_SASL_SSF=56
-- ldap_get_base_dn: Determining default LDAP base: dc=xxxxxxx,dc=LAN
-- ldap_check_account: Checking that a computer account for SQUIDPROXY-K$
exists
-- ldap_check_account: Computer account not found, create the account
No computer account for SQUIDPROXY-K found, creating a new one.
dn: cn=SQUIDPROXY-K,CN=Computers,dc=xxxxx,dc=LAN
Error: ldap_add_ext_s failed (Insufficient access)
-- ~KRB5Context: Destroying Kerberos Context
-------------------------------------------------------------------------------------
*/etc/krb5.conf
*
[libdefaults]
default_realm = XXXXXXX.LAN
dns_lookup_kdc = no
dns_lookup_realm = no
ticket_lifetime = 24h
default_keytab_name = /etc/squid/PROXY.keytab
; for Windows 2003
; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
[realms]
EMPDHPR.LAN = {
kdc = d02.xxxxxx.lan
admin_server = d02.xxxxxxx.lan
default_domain = xxxxxxxx.lan
}
What i can do??
Is necessary another info???
--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/AD-Ldap-automatically-take-the-user-that-is-logging-on-PC-tp4678994p4679081.html
Sent from the Squid - Users mailing list archive at Nabble.com.
More information about the squid-users
mailing list